b'      Department of Homeland Security\n\n\n\n\n\n      Transportation Security Administration Information \n\n      Technology Management Progress and Challenges \n\n\n\n\n\nOIG-13-101                                         June 2013\n\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                               Department of Homeland Security\n                                Washington, DC 20528 / www.oig.dhs.gov\n\n\n\n                                     June 24, 2013\n\nMEMORANDUM FOR:              John W. Halinski\n                             Deputy Administrator\n                             Transportation Security Administration\n\nFROM:                        Frank Deffer\n                             Assistant Inspector General\n                             Office of Information Technology Audits\n\nSUBJECT:                     Transportation Security Administration Information\n                             Technology Management Progress and Challenges\n\n\nAttached for your action is our final report, Transportation Security Administration\nInformation Technology Management Progress and Challenges. We incorporated the\nformal comments from the Transportation Security Administration (TSA).\n\nThe report contains five recommendations aimed at improving TSA\xe2\x80\x99s information\ntechnology management. Your office concurred with the recommendations. As prescribed\nby the Department of Homeland Security Directive 077-01, Follow-Up and Resolutions for\nOffice of Inspector General Report Recommendations, within 90 days of the date of this\nmemorandum, please provide our office with a written response that includes your\n(1) corrective action plan and (2) target completion date for each recommendation. Also,\nplease include responsible parties and any other supporting documentation necessary to\ninform us about the current status of the recommendation. Until your response is received\nand evaluated, the recommendations will be considered open and unresolved.\n\nConsistent with our responsibility under the Inspector General Act, we are providing copies\nof our report to appropriate congressional committees with oversight and appropriation\nresponsibility over the Department of Homeland Security.\n\nPlease call me with any questions, or your staff may contact Richard Harsche, Division\nDirector, Information Technology Audits, at (202) 254-5448.\n\nAttachment\n\x0c                                         OFFICE OF INSPECTOR GENERAL\n                                               Department of Homeland Security\n\n\n\n   Table of Contents\n   Executive Summary............................................................................................................. 1\n\n\n   Background ......................................................................................................................... 2\n\n\n   Results of Audit ................................................................................................................... 6\n\n\n              IT Management Capabilities Established ................................................................ 6\n\n              Recommendations ................................................................................................ 14\n\n              Management Comments and OIG Analysis .......................................................... 14\n\n\n              Support of Mission Needs..................................................................................... 16\n\n              Recommendations ................................................................................................ 20\n\n              Management Comments and OIG Analysis .......................................................... 21\n\n\n\n   Appendixes\n              Appendix A:          Objectives, Scope, and Methodology ............................................ 23\n\n              Appendix B:          Management Comments to the Draft Report ............................... 25\n\n              Appendix C:          Definition of Information Technology ........................................... 28\n\n              Appendix D:          Major Contributors to This Report ................................................ 29\n\n              Appendix E:          Report Distribution ........................................................................ 30\n\n\n   Abbreviations\n              AIT                   Advanced Imaging Technology\n              CIO                   Chief Information Officer\n              DHS                   Department of Homeland Security\n              EDS                   Explosives Detection System\n              eTAS                  Electronic Time, Attendance, and Scheduling\n              FAMS                  Federal Air Marshal Service\n              FY                    fiscal year\n              GAO                   Government Accountability Office\n\n\nwww.oig.dhs.gov                                                                                                                 OIG-13-101\n\x0c                     OFFICE OF INSPECTOR GENERAL\n                        Department of Homeland Security\n\n\n\n           IT     information technology\n           ITAR   Information Technology Acquisition Review\n           MD     Management Directive\n           OIG    Office of Inspector General\n           OIT    Office of Information Technology\n           OMB    Office of Management and Budget\n           SELC   systems engineering life cycle\n           TSA    Transportation Security Administration\n\n\n\n\nwww.oig.dhs.gov                                               OIG-13-101\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n\n   Executive Summary\n   Information technology plays a critical role in enabling the Transportation Security\n   Administration (TSA) to accomplish its mission. In 2007, we reported that TSA did not\n   manage and apply information technology effectively to support accomplishment of its\n   mission objectives. We conducted a follow-up audit to determine TSA\xe2\x80\x99s progress in\n   establishing key information technology management capabilities to support mission\n   needs. Appendix A describes the audit\xe2\x80\x99s scope and methodology.\n\n   The TSA Chief Information Officer has established key information technology\n   management capabilities to support TSA\xe2\x80\x99s mission. Specifically, the Chief Information\n   Officer updated the information technology strategic plan, implemented a systems\n   engineering life cycle process to manage information technology programs,\n   implemented information technology acquisition review processes, and developed an\n   enterprise architecture. Not all information technology procurements, however, have\n   gone through the information technology acquisition review process because they were\n   not categorized as information technology procurements. As a result, there is little\n   assurance that all information technology investments are aligned with the Chief\n   Information Officer\xe2\x80\x99s strategy or TSA\xe2\x80\x99s future information technology mission needs.\n\n   The TSA Chief Information Officer faces challenges in ensuring that the information\n   technology environment fully supports TSA\xe2\x80\x99s mission needs. Specifically, TSA\xe2\x80\x99s\n   information technology systems do not provide the full functionality needed to support\n   its mission due to challenges with TSA\xe2\x80\x99s requirements gathering process. As a result,\n   staff created manual workarounds or developed local systems to accomplish their\n   mission. In addition, information technology support roles are not well defined or\n   communicated, and the number of information technology support staff is not sufficient\n   at certain field sites. Some field sites detailed employees from operational areas to fill\n   in gaps in information technology support, which reduced the number of staff available\n   to serve at security checkpoints and may hinder TSA\xe2\x80\x99s ability to carry out its mission.\n\n   We made five recommendations to the Deputy Administrator, Transportation Security\n   Administration, to ensure that the Department\xe2\x80\x99s definition of information technology is\n   applied for all acquisitions; develop and implement a process to ensure that all\n   information technology acquisitions go through information technology acquisition\n   review; develop and implement a process to capture information technology\n   requirements in the field; communicate the IT specialist role, as contractually defined,\n   to both IT specialists and to the user community; and develop and implement a process\n   to provide sufficient IT support in airports and operational sites in the field.\n\n\nwww.oig.dhs.gov                                1                                       OIG-13-101\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n\n   Background\n   TSA was created in the wake of September 11, 2001, to maintain the security of\n   transportation systems and the traveling public. By the end of 2002, TSA had deployed\n   a security operations workforce and assumed 100 percent of all airport screening\n   responsibilities. Originally part of the Department of Transportation, transportation\n   security functions moved to the Department of Homeland Security (DHS) in March 2003.\n\n   TSA\xe2\x80\x99s mission is to strengthen the security of the Nation\xe2\x80\x99s transportation systems while\n   ensuring the freedom of movement for people and commerce. To accomplish its\n   mission, TSA\xe2\x80\x99s nearly 50,000 Transportation Security Officers screen more than\n   1.7 million passengers each day at more than 450 airports nationwide. TSA uses\n   approximately 2,800 Behavior Detection Officers at airports across the country, and\n   thousands of Federal Air Marshals are deployed every day on domestic and\n   international flights. TSA has more than 400 explosives specialists in aviation and other\n   transportation environments. To date, TSA has deployed more than 800 Advanced\n   Imaging Technology machines at airports, leading to the detection of prohibited, illegal,\n   or dangerous items. In fiscal year (FY) 2013, TSA\xe2\x80\x99s budget was approximately\n   $7.6 billion, which represents 13 percent of DHS\xe2\x80\x99 overall budget of approximately\n   $59 billion.\n\n   Information technology (IT) systems play a critical role in enabling TSA to accomplish its\n   mission. TSA\xe2\x80\x99s Office of Information Technology (OIT) is responsible for developing and\n   managing IT initiatives and policies for TSA\xe2\x80\x99s IT requirements. OIT supports\n   approximately 70,000 government and contractor personnel, working at more than 450\n   airports and at 22 international locations, who use approximately 33,000 computers,\n   26,000 phones, 4,000 switches, 750 routers, and 90,000 email accounts. As of October\n   2012, OIT employed 1,957 staff, including 230 Federal employees and 1,727 contractors.\n   In FY 2013, TSA requested an IT budget of approximately $417.2 million.\n\n   To plan and manage TSA\xe2\x80\x99s critical IT environment, OIT is organized into five offices: the\n   Senior Technical Advisor and DHS Liaison Office, the Business Management Office,\n   Federal Air Marshal Service (FAMS) IT, IT Strategy and Innovation, and IT Operations, as\n   shown in figure 1.\n\n\n\n\nwww.oig.dhs.gov                                2                                       OIG-13-101\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n\n\n                  Figure 1. TSA\xe2\x80\x99s OIT Organizational Structure as of June 2012\n\n   The Senior Technical Advisor and DHS Liaison Office is responsible for defining the next\n   generation of TSA and DHS target IT capabilities, based on mission needs. The Business\n   Management Office ensures that IT is appropriately aligned with OIT, TSA, and DHS\n   goals and priorities. FAMS IT manages service-wide planning, development, acquisition,\n   testing, integration, installation, security, use, and evaluation of its IT systems, facilities,\n   services, and procedures.\n\n   IT Strategy and Innovation provides strategic and enterprise services in support of TSA\xe2\x80\x99s\n   IT programs. Within IT Strategy and Innovation, the Mission Engagement Division builds\n   and strengthens customer-partner relationships between OIT and TSA mission and\n   support offices. The Strategy and Enterprise Management Division maintains the TSA IT\n   strategic plan, creates the OIT annual report, and develops the IT roadmap strategy\n   from the current, as-is to the future, to-be TSA enterprise environment. Finally, the\n   Enterprise Architecture Division provides vision and expertise in enterprise architecture\n   and enterprise data management services. 1\n\n   IT Operations provides IT support to more than 70,000 users across the agency and\n   manages IT projects. IT Operations is responsible for 24x7 operations centers, including\n   the Security Operations Center, Network Operations Center, and Help Desk Services.\n   Within IT Operations, the End User Services Division provides office automation\n\n   1\n    Enterprise architecture is a management practice designed to maximize the contribution of an agency\xe2\x80\x99s\n   resources, IT investments, and system development activities to achieve mission performance goals.\n\nwww.oig.dhs.gov                                       3                                            OIG-13-101\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n   services, desk side support, and customer-focused IT project management to more than\n   3,000 users. This division also serves as the primary customer interface for IT products\n   and services for more than 120 Federal Security Directors and their more than 50,000\n   staff at domestic and international locations. Also under IT Operations, the Applications\n   Development Division provides enterprise-wide software solutions, and the Operations\n   and Engineering Division provides project engineering services for all new IT services.\n   Finally, the Information Assurance and Cyber Security Division coordinates audits on TSA\n   internal systems, TSA contractor-managed systems, and airports, and is responsible for\n   the communications and outreach activities related to cyber security for the agency.\n\n   OIT is responsible for developing and implementing enterprise-wide common\n   applications and systems resulting in efficient, cost-effective, secure, and interoperable\n   solutions to customer requirements. OIT manages some systems, but other TSA offices\n   outside of OIT, including the Office of Security Capabilities and the Office of Intelligence\n   and Analysis, manage other systems. TSA\xe2\x80\x99s major systems include the following:\n\n   Major Systems Managed by OIT\n          \xe2\x80\xa2\t Information Technology Infrastructure Program \xe2\x80\x93 This program provides a\n             communication and data processing platform that is used by all headquarters\n             and TSA field elements to perform their mission of providing transportation\n             security. The program includes email; database support; personal device\n             communications; software and hardware refreshment; and hotline,\n             technical, and security support.\n          \xe2\x80\xa2\t Performance Management Information System \xe2\x80\x93 This system is an\n             enterprise-level analytical tool that integrates data from multiple sources to\n             collect and report on a variety of TSA performance measures in order to\n             monitor TSA\xe2\x80\x99s progress toward operational goals.\n          \xe2\x80\xa2\t TSA Operating Platform \xe2\x80\x93 This platform is a collection of shared IT\n             components and services that support mission critical applications across\n             TSA. The platform enables a streamlined provisioning process to acquire\n             secure and reliable information and applications to meet legislative\n             mandates and deliver integrated database and network resources.\n          \xe2\x80\xa2\t FAMS Mission Scheduling and Notification System \xe2\x80\x93 This system is the\n             technology interface between FAMS and the airline industry and provides a\n             variety of scheduling tools to help FAMS execute its mission.\n\n   Major System Managed by the Office of Security Capabilities\n          \xe2\x80\xa2\t Security Technology Integrated Program \xe2\x80\x93 This program is an agency-wide\n             data management system that provides a centralized focal point connecting\n\n\nwww.oig.dhs.gov                                 4\t                                       OIG-13-101\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n\n                  passenger and baggage screening security technologies to one network to\n                  address data, threat response, and equipment challenges.\n\n   Major Systems Managed by the Office of Intelligence and Analysis\n          \xe2\x80\xa2\t Secure Flight \xe2\x80\x93 Secure Flight is a behind-the-scenes program that enhances\n             the security of domestic and international commercial air travel through the\n             use of improved watch list matching.\n          \xe2\x80\xa2\t Technology Infrastructure Modernization Program \xe2\x80\x93 The purpose of this\n             program is to provide a robust and integrated enrollment, vetting, and\n             credentialing system capable of providing services to TSA while meeting the\n             anticipated rate of growth of the transportation worker population.\n\n   Effective management of IT systems is important to ensure that mission operations are\n   supported. Previous audits have identified challenges with TSA\xe2\x80\x99s IT infrastructure and\n   management. For example, in 2007, we reported that TSA\xe2\x80\x99s IT infrastructure had\n   limited system integration and data sharing and had perpetuated inefficient manual\n   work processes. 2 Additionally, because of limitations with authority and a need for\n   standard IT governance policies across TSA, the agency\xe2\x80\x99s Chief Information Officer (CIO)\n   faced significant challenges in conducting agency-wide IT planning and investment\n   management. Insufficient OIT staff also impeded the CIO\xe2\x80\x99s ability to manage the IT\n   infrastructure and support new technology requirements.\n\n   To address those challenges, we recommended that the Assistant Administrator for TSA\n   strengthen component IT management by empowering the CIO with agency-wide IT\n   budget and investment review authority; develop a consolidated strategic planning\n   approach; complete and implement an enterprise architecture; establish and\n   communicate guidelines and procedures for acquiring, developing, and managing IT\n   solutions in a consistent, integrated, and efficient manner; and apply adequate staff\n   resources to address IT needs and provide support to TSA operations agency-wide. In\n   response, TSA advised the DHS Office of the Inspector General (OIG) that it had updated\n   the IT strategic plan, developed an enterprise architecture system and repository,\n   revised its investment review process, and conducted an analysis of its organizational\n   structure and staff. Based on TSA\xe2\x80\x99s actions, we closed the five recommendations. As\n   part of this audit, we revisited these areas to determine TSA\xe2\x80\x99s progress in establishing\n   key IT management capabilities to support mission needs.\n\n\n\n   2\n    Information Technology Management Needs to Be Strengthened at the Transportation Security\n   Administration, OIG-08-07, October 2007.\n\nwww.oig.dhs.gov                                     5\t                                          OIG-13-101\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n\n   Results of Audit\n           IT Management Capabilities Established\n\n           The CIO has taken actions to establish key IT management capabilities to support\n           TSA\xe2\x80\x99s mission. Specifically, the CIO updated its IT strategic plan to guide OIT in\n           supporting TSA and Department mission goals. In addition, the CIO\n           implemented a systems engineering life cycle (SELC) process to manage IT\n           programs. The CIO also implemented IT Acquisition Review (ITAR) processes and\n           developed an enterprise architecture. These actions can help support effective\n           IT management and ensure that IT investments provide effective support for\n           TSA\xe2\x80\x99s transportation security mission.\n\n           Strategic Planning\n\n           The Government Performance and Results Act of 1993 holds Federal agencies\n           responsible for strategic planning to ensure efficient and effective operations\n           and use of resources to achieve mission results. 3 Additionally, Office of\n           Management and Budget (OMB) Circular A-130, as revised, instructs agency CIOs\n           to create strategic plans that demonstrate how information resources will be\n           used to improve the productivity, efficiency, and effectiveness of government\n           programs. 4 DHS Management Directive (MD) 0007.1 requires component CIOs\n           to develop and implement an IT strategic plan that clearly defines how IT\n           supports an agency\xe2\x80\x99s mission and drives investment decisions, guiding the\n           agency toward its goals and priorities. 5\n\n           The TSA CIO has an up-to-date strategic plan that is in line with Federal\n           requirements and Department guidance. Specifically, the CIO developed the TSA\n           IT Strategic Plan, FY 2012\xe2\x80\x932016 in October 2011. The plan identifies an\n           actionable and measurable IT strategy that articulates the CIO\xe2\x80\x99s vision, mission,\n           goals, and objectives through FY 2016. Table 1 shows the five goals included in\n           the plan.\n\n\n\n\n   3\n     Public Law 103-62, Government Performance and Results Act of 1993, August 3, 1993.\n\n   4\n     OMB Circular A-130, Management of Federal Information Resources, Transmittal Memorandum #4,\n\n   November 28, 2000.\n\n   5\n     DHS MD 0007.1, Information Technology Integration and Management, March 15, 2007.\n\n\nwww.oig.dhs.gov                                    6                                           OIG-13-101\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                  Department of Homeland Security\n\n\n\n                                      Table 1. TSA OIT Strategic Goals\n\n                                     TSA OIT FY 2012-16 Strategic Goals\n            Goal 1: Deliver IT services that are aligned to TSA\xe2\x80\x99s mission and business needs through\n            collaboration and implementation of best practices\n            Goal 2: Provide an information environment that fosters secure collaborative\n            information sharing among TSA and its stakeholder organizations\n            Goal 3: Evolve the IT infrastructure into a cohesive architecture to optimize service\n            delivery\n            Goal 4: Strengthen the cyber security and information assurance capability to ensure\n            TSA assets and operations are protected\n            Goal 5: Develop and implement a comprehensive approach to ensure excellence of IT\n            delivery through recruitment, development, retention, and recognition\n\n           To accomplish these goals, the TSA CIO has established specific objectives with\n           associated key performance metrics. For example, to meet the goal to develop\n           and implement a comprehensive approach to ensure excellence of IT delivery\n           through recruitment, development, retention, and recognition, the plan\n           identifies two objectives\xe2\x80\x94to provide comprehensive and effective IT human\n           capital management, and to establish a career path framework aligned with IT\n           competencies that support succession management. For each of these\n           objectives, the plan defines key performance metrics that will measure progress\n           toward achieving the goal. For example, the implementation of an integrated\n           TSA IT human capital plan and the development of a career path framework for\n           IT learning and development will contribute to TSA OIT\xe2\x80\x99s goal to develop an\n           approach to ensure excellence of IT delivery.\n\n           The TSA IT Strategic Plan, FY 2012\xe2\x80\x932016 aligns with the goals identified in the\n           DHS and TSA strategic plans. The plan is also aligned with the DHS IT Strategic\n           Plan 2011\xe2\x80\x932015 to ensure that TSA OIT supports the DHS CIO\xe2\x80\x99s department-wide\n           IT goals. Table 2 shows the alignment of OIT goals with DHS and TSA goals.\n\n\n\n\nwww.oig.dhs.gov                                   7                                          OIG-13-101\n\x0c                                    OFFICE OF INSPECTOR GENERAL\n                                          Department of Homeland Security\n\n\n\n                   Table 2. Alignment of TSA OIT Goals with TSA, DHS, and DHS IT Goals\n\n                                  Alignment of TSA OIT Goals with TSA, DHS, and DHS IT Goals\n                                     TSA OIT                                     Goal 1   Goal 2   Goal 3   Goal 4   Goal 5\n                      Goal 1: Risk-based security                                 \xef\x83\xbc        \xef\x83\xbc                 \xef\x83\xbc\n             TSA      Goal 2: Workforce engagement                                \xef\x83\xbc                                   \xef\x83\xbc\n                      Goal 3: Organizational efficiency                           \xef\x83\xbc                 \xef\x83\xbc\n                      Goal 1: Prevent terrorism and enhance security              \xef\x83\xbc        \xef\x83\xbc                 \xef\x83\xbc\n                      Goal 2: Secure and manage United States borders             \xef\x83\xbc        \xef\x83\xbc\n            DHS       Goal 3: Enforce and administer immigration laws             \xef\x83\xbc\n                      Goal 4: Safeguard and secure cyberspace                     \xef\x83\xbc                 \xef\x83\xbc        \xef\x83\xbc\n                      Goal 5: Ensure resilience to disasters                      \xef\x83\xbc        \xef\x83\xbc        \xef\x83\xbc\n                      Goal 1: Establish secure IT services and capabilities to\n                      protect the homeland and enhance our Nation\xe2\x80\x99s               \xef\x83\xbc\n                      preparedness, mitigation, and recovery capabilities\n                      Goal 2: Improve secure and trusted internal and\n                      external information sharing                                \xef\x83\xbc        \xef\x83\xbc                 \xef\x83\xbc\n                      Goal 3: Improve transparency, accountability, and\n            DHS IT    efficiencies of services and programs through               \xef\x83\xbc                 \xef\x83\xbc\n                      effective governance and enterprise architecture\n                      Goal 4: Develop and implement a comprehensive\n                      approach to IT employee recruitment, development,\n                      retention, and recognition to ensure excellence in IT       \xef\x83\xbc                                   \xef\x83\xbc\n                      delivery across the Department\n\n\n           The TSA CIO\xe2\x80\x99s development of a well-aligned, up-to-date strategic plan that\n           defines a clear vision and direction positions TSA OIT to provide effective support\n           for TSA\xe2\x80\x99s transportation security mission.\n\n           Systems Engineering Life Cycle\n\n           DHS Acquisition Instruction/Guidebook #102-01-001, Appendix B, requires\n           agencies to follow a SELC process. 6 The purpose of the DHS SELC is to establish a\n           standard system life cycle framework across DHS agencies and to ensure that\n           DHS IT capabilities are delivered efficiently and effectively.\n\n           The TSA CIO implemented the DHS SELC process in compliance with\n           departmental guidance. OIT maintains an online site to guide TSA project\n\n\n   6\n    DHS Acquisition Instruction/Guidebook #102-01-001, Appendix B, Interim Version 2.0, September 21,\n   2010.\n\nwww.oig.dhs.gov                                                   8                                              OIG-13-101\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n           managers and participants in complying with the DHS SELC. This online tool\n           enables users to tailor the SELC to meet their project needs and contains\n           templates and guidance to aid users in the development of documents for each\n           of the nine stages of the SELC. Figure 2 shows the nine stages of the SELC.\n\n\n\n\n                                      Figure 2. TSA SELC Phases\n\n           TSA staff initiate the SELC process by submitting a project request to OIT. An OIT\n           Customer Relations Manager works with the staff to match their business\n           requirements with existing IT products and services and to initiate project\n           requests by completing a project authorization document.\n\n           The OIT Business Technology Council reviews projects to ensure that all IT\n           projects align to the TSA strategic plan, TSA initiatives and goals, and TSA\xe2\x80\x99s\n           enterprise architecture. The OIT General Managers for the IT Strategy and\n           Innovation Office and the IT Operations Office co-chair the council, which meets\n           biweekly, and office division directors serve as members. After the council\n           approves a project, OIT assigns a project manager, who guides staff through the\n           next steps, including defining requirements and creating required SELC\n           documents. For example, a Mission Needs Statement, which states why the\n           investment needs to be undertaken, is required for all IT projects.\n\n           The CIO\xe2\x80\x99s implementation of the SELC process should help TSA ensure that its IT\n           investments will support TSA and DHS strategic goals.\n\n           IT Acquisition Review\n\n           DHS MD 0007.1 requires IT acquisitions valued at $2.5 million or greater to be\n           submitted to the DHS CIO for review. This directive also requires component\n           CIOs to implement an ITAR process for IT acquisitions below $2.5 million. ITAR is\n           required before the award of an IT procurement so that acquisitions are aligned\n           with IT policy, standards, objectives, and goals across DHS.\n\n\nwww.oig.dhs.gov                                9                                       OIG-13-101\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\n\n           The TSA CIO has implemented an ITAR process that aligns with DHS policies. 7\n           TSA customers begin the ITAR process by submitting a complete procurement\n           request package with supporting documentation, such as a statement of work,\n           an independent government cost estimate, and market research, to the ITAR\n           \xe2\x80\x9cTSAITBUY\xe2\x80\x9d team. The ITAR TSAITBUY team sends complete procurement\n           request packages to the appropriate review groups to ensure that the packages\n           comply with TSA acquisition guidelines. Specifically, each IT procurement\n           package must go through enterprise architecture, accessibility, investment level,\n           infrastructure, information security, and records management reviews. For\n           example, the enterprise architecture group determines if the request is part of a\n           program that has been reviewed by the enterprise architecture board, if the\n           customer has submitted a list of hardware and software products included in the\n           request, if the requested products are listed in the Department\xe2\x80\x99s approved\n           technology list, and if the request is part of an upgrade to an enterprise service,\n           among other items. The information security group determines, for example, if\n           there are requests for hardware or software that will hold or handle DHS\n           sensitive information, and if so, if the package includes a clause that indicates\n           the request will meet specific security certifications and compliance standards.\n\n           Once a procurement request has been approved, requests totaling $2.5 million\n           or more are submitted to the DHS ITAR team for review with subsequent\n           approval by the DHS CIO. The TSA CIO approves requests for less than $2.5\n           million. In FY 2012, 74 requests were submitted to the DHS CIO, and 698\n           requests were submitted through the TSA ITAR process.\n\n           Enterprise Architecture\n\n           The Clinger-Cohen Act of 1996, as amended, and OMB circulars mandate the\n           establishment and use of an enterprise architecture to guide and direct\n           government investments from inception through retirement. 8 9 In addition,\n           OMB Memorandum M-11-29 states that CIOs must use an enterprise\n           architecture to consolidate duplicative investments and applications. 10 An\n\n   7\n     TSA Management Directive 300.15, Information Technology Acquisition Review, signed January 6, 2012,\n\n   provides TSA policy and procedures for the ITAR process.\n\n   8\n     Public Law No. 104-106, Division E, February 10, 1996. The law, initially titled the Information\n\n   Technology Management Reform Act of 1996, was subsequently renamed the Clinger-Cohen Act of 1996 \n\n   in Public Law No. 104-208, September 30, 1996.\n\n   9\n     OMB Circular A-130, Revised, Management of Federal Information Resources, November 28, 2000; and \n\n   OMB Circular A-11, Revised, Preparation, Submission, and Execution of the Budget, August 3, 2012.\n\n   10\n      OMB M-11-29, Chief Information Officer Authorities, August 8, 2011.\n\n\nwww.oig.dhs.gov                                     10                                            OIG-13-101\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n\n           enterprise architecture describes the current architecture, target architecture,\n           and transition strategy for attaining the target goals and objectives. An\n           enterprise architecture enables leadership to prioritize available resources to\n           support mission functions, ensures that mission requirements drive technology\n           investments, and identifies current capabilities and performance gaps and\n           projected future gaps.\n\n           The TSA CIO developed an enterprise architecture to align with the Department\xe2\x80\x99s\n           architecture and guide TSA\xe2\x80\x99s IT environment. From 2011 through 2012, TSA\n           provided the Department with a self-assessment status report each quarter on\n           its enterprise architecture program. In this report, TSA rated its progress against\n           the Government Accountability Office (GAO) Enterprise Architecture\n           Management Maturity Framework. 11 In March 2011, TSA identified its\n           enterprise architecture maturity at stage zero of the six stages of the GAO\n           Enterprise Architecture Management Maturity Framework, meaning TSA was\n           creating enterprise architecture awareness. In its last FY 2012 status report, TSA\n           rated its progress at stage four maturity, which means that TSA has developed\n           an approved version of its enterprise architecture that is used for targeted\n           results, such as guiding investment decisions.\n\n           In FY 2012, the Homeland Security Systems Engineering and Development\n           Institute, the Department\xe2\x80\x99s federally funded research and development center,\n           began conducting independent, objective reviews of the quarterly status reports\n           of select DHS components. Since the last quarter of FY 2011, TSA had each of its\n           self-assessed enterprise architecture maturity scores independently reviewed\n           and evaluated. As of the last quarter of FY 2012, the institute independently\n           identified TSA\xe2\x80\x99s enterprise architecture program at stage four maturity. Figure 3\n           shows TSA\xe2\x80\x99s enterprise architecture maturity within the stages of the Enterprise\n           Architecture Management Maturity Framework.\n\n\n\n\n   11\n     GAO-10-846G, A Framework for Assessing and Improving Enterprise Architecture Management (Version\n   2.0), August 2010.\n\nwww.oig.dhs.gov                                    11                                          OIG-13-101\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n\n            Figure 3. Stages of Enterprise Architecture Management Maturity Framework\n                              with TSA Enterprise Architecture Maturity\n\n           ITAR Process Implementation Limited\n\n           Although the TSA CIO implemented an ITAR process, not all IT procurements\n           have gone through the process. For example, the Explosives Detection System\n           (EDS) and the Advanced Imaging Technology (AIT) procurements did not go\n           through the ITAR process. These systems did not go through the review\n           processes because the responsible program managers did not categorize them\n           as IT procurements. As a result, there was little assurance that all IT investments\n           were aligned with the CIO\xe2\x80\x99s strategy or TSA\xe2\x80\x99s future IT mission needs. Limited\n           ITAR implementation also hinders the CIO\xe2\x80\x99s ability to manage TSA\xe2\x80\x99s IT\n           environment, which increases the risk of security issues and hampers cost-saving\n           efforts.\n\n           Explosives Detection Systems\n           EDS units capture images and scan checked baggage to analyze the contents and\n           determine whether explosive threats might be present. In 2009, TSA procured\n           77 EDS units as part of a contract amounting to approximately $29.9 million. As\n           of October 2010, TSA had 2,297 EDS machines, 1,938 of which were deployed at\n           airports in the United States. EDS units contain IT hardware and software\n           components that display, process, and transmit data.\n\n           Advanced Imaging Technology\n           AIT is used to screen passengers to detect weapons, explosives, and other\n           threats to protect the traveling public. TSA uses two types of AIT, millimeter\n\n\nwww.oig.dhs.gov                                12                                       OIG-13-101\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\n\n           wave imaging technology and backscatter technology, to screen passengers for\n           both metallic and non-metallic threats. Both types of AIT units contain IT\n           hardware and software components that display, process, and transmit data.\n           Millimeter wave imaging technology detects threats by displaying a generic\n           outline of a person on a monitor attached to the unit highlighting any areas that\n           may require additional screening. If no anomalies are detected, an \xe2\x80\x9cOK\xe2\x80\x9d appears\n           on the screen with no outline. Backscatter technology projects an X-ray beam\n           over the body surface and creates an image, transmits this image to a remote\n           location, and displays it on a monitor for a TSA officer to review. The technology\n           has a privacy filter that blurs the image so that it resembles a chalk etching. As\n           of December 2012, there were more than 800 imaging technology devices at\n           approximately 200 airports, and TSA had spent approximately $140 million on\n           AIT equipment.\n\n           These IT systems and equipment did not go through the ITAR or enterprise\n           architecture review processes because TSA did not designate all procurements\n           with IT components as IT procurements. Program offices can bypass the ITAR\n           process by identifying a procurement as non-IT. According to TSA\xe2\x80\x99s acquisition\n           review process procedures, the program official making the procurement\n           request determines if any of the proposed procurement requirements contain IT\n           components. 12 If the program official determines that the procurement does n\n           ot contain IT, the procurement may not be submitted for ITAR review to ensure\n           that it meets enterprise architecture, application architecture, software\n           management, and security and accessibility requirements.\n\n           The Federal Government, DHS, and TSA all have defined IT to include IT\n           equipment or systems that display, manipulate, or transmit data. 13 Although\n           TSA guidance is aligned with the Department\xe2\x80\x99s and Federal guidance on the\n           definition of IT, the TSA CIO has authority only over programs that TSA program\n           managers have defined as IT. Even though security technology equipment, such\n           as EDS and AIT, display, manipulate, and transmit data, TSA designated as IT only\n           the portion of the EDS and AIT technologies that connects to the TSA network.\n\n           Several TSA officials with whom we met told us that designating programs as \xe2\x80\x9cIT\xe2\x80\x9d\n           created significant workload for program managers. IT procurements must go\n\n\n   12\n      TSA OIT Acquisition Review Process Standard Operating Procedure, January 6, 2009, and TSA\n   Management Directive 300.15, Information Technology Acquisition Review, signed January 6, 2012.\n   13\n      The Federal, Department, and TSA definitions of IT are shown in appendix C.\n\nwww.oig.dhs.gov                                     13                                               OIG-13-101\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n           through more reviews than those designated as non-IT procurements; therefore,\n           IT procurements typically take longer to go through the acquisition process.\n\n           However, the ITAR process enables the CIO to align IT acquisitions with TSA IT\n           policies, standards, objectives, and goals. ITAR also helps the CIO validate TSA\xe2\x80\x99s\n           alignment with the DHS enterprise architecture and ensure compliance with\n           security and accessibility requirements. Information Assurance and Cyber\n           Security Division staff have had to modify contracts to include appropriate\n           security language and clauses because these security technologies did not\n           undergo the standard ITAR process. IT acquisitions that do not go through the\n           ITAR process are not subject to alignment reviews and may increase costs for\n           operations and maintenance, limit opportunities for system integration, and\n           create a risk to TSA\xe2\x80\x99s IT environment.\n\n           Recommendations\n\n           We recommend that the Deputy Administrator, Transportation Security\n           Administration:\n\n           Recommendation #1:\n\n           Direct all TSA program offices to apply the Department\xe2\x80\x99s definition of IT for all\n           acquisitions.\n\n           Recommendation #2:\n\n           Develop and implement a process to ensure that all IT acquisitions, including\n           passenger and baggage screening equipment, go through IT Acquisition Review\n           and receive enterprise architecture, security, and privacy reviews.\n\n           Management Comments and OIG Analysis\n\n           We obtained written comments on a draft of this report from the Administrator,\n           Transportation Security Administration. We have included a copy of the\n           comments in their entirety in appendix B.\n\n           In the comments, the Administrator concurred with our recommendations and\n           provided details on steps being taken to address specific findings and\n\n\n\nwww.oig.dhs.gov                                 14                                       OIG-13-101\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n           recommendations in the report. We have reviewed management\xe2\x80\x99s comments\n           and provided an evaluation of the issues outlined in the comments below.\n\n           In response to recommendation one, the Administrator concurred and stated\n           that TSA has codified the definition of IT in TSA Management Directive 300.15,\n           Information Technology Acquisition Review. Further, the Administrator stated\n           that there should be a mechanism for determining the application of the\n           definition of IT in program designations. To adjudicate the application of the\n           definition of IT in program designation, TSA included a process in its draft\n           Management Directive 1400.20, IT Governance. That approval process involves\n           the CIO, the Chief Procurement Officer Executive/Component Acquisition\n           Executive, and the Program Office in the IT designation process. We recognize\n           the inclusion of the process in the draft Management Directive 1400.20 as a\n           positive step toward addressing this recommendation, and look forward to\n           learning more about continued progress. This recommendation will remain\n           open pending evidence of further progress in this regard.\n\n           In response to recommendation two, the Administrator concurred and stated\n           that IT acquisitions, when determined to be designated as IT, will follow the DHS\n           ITAR guidelines and process. However, the Administrator stated that TSA takes\n           exception to the presumption that the Electronic Baggage Screening Program\n           and Passenger Screening Program are IT programs. We disagree with this\n           assertion. As stated in our report, baggage and passenger security screening\n           equipment displays, manipulates, and transmits data, which meets the Federal\n           definition to be designated as information technology. Although we are\n           encouraged by TSA\xe2\x80\x99s actions to establish a process as described in\n           recommendation one to evaluate the program for IT designation, we expect this\n           evaluation to include all IT acquisitions, including security screening equipment.\n           This recommendation will remain open pending evidence of further progress in\n           this regard.\n\n\n\n\nwww.oig.dhs.gov                                15                                      OIG-13-101\n\x0c                                   OFFICE OF INSPECTOR GENERAL\n                                       Department of Homeland Security\n\n\n\n              Support of Mission Needs\n\n              The TSA CIO faces challenges in ensuring that the IT environment fully supports\n              TSA\xe2\x80\x99s mission needs. Specifically, TSA\xe2\x80\x99s IT systems do not provide the full\n              functionality needed to support its mission. For example, some systems did not\n              provide the reporting functions needed, and other systems were not compatible\n              or were not integrated. The limited IT functionality experienced in the field is\n              due to challenges with TSA\xe2\x80\x99s requirements gathering process. As a result, staff\n              created manual workarounds or developed local systems to accomplish their\n              mission. In addition, IT specialist roles were not well defined or communicated,\n              and the number of IT support staff was not sufficient to support users at certain\n              field sites. Some field sites detailed employees from operational areas to fill in\n              gaps in IT support, reducing the number of staff available to serve at security\n              checkpoints.\n\n              IT Functionality\n\n              DHS MD 0007.1 states that the component CIO is responsible for timely delivery\n              of mission IT services in direct support of component mission, goals, objectives,\n              and programs. In addition, agencies are required to acquire, manage, and use IT\n              to improve mission performance. 14\n\n              TSA\xe2\x80\x99s IT systems do not fully provide the functionality needed to support its\n              mission. Specifically, personnel with whom we spoke identified the following\n              instances in which the systems they used were not sufficient to meet their\n              needs:\n\n                  \xe2\x80\xa2\t The Electronic Time, Attendance, and Scheduling (eTAS) system that TSA\n                     provided for scheduling did not help staff effectively plan for and\n                     schedule the numbers and types of staff needed to screen passengers\n                     and baggage. Being able to schedule resources efficiently at an airport is\n                     important because of the varying amounts of passenger traffic\n                     throughout the year and TSA\xe2\x80\x99s specific requirements regarding the types\n                     of security officers needed at security gates. For example, managers at\n                     one airport must schedule 1,300 employees at 22 work locations and\n                     ensure that the employees at each checkpoint meet appropriate ratios\n                     for gender, part-time staff, and full-time staff. In addition, managers\n\n\n   14\n        Public Law 104-13, Paperwork Reduction Act of 1995, May 22, 1995.\n\nwww.oig.dhs.gov                                        16\t                                OIG-13-101\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n\n                     need to adjust schedules based on peaks in airport traffic, such as\n                     holidays. According to users, eTAS reports did not include the necessary\n                     data and were not timely. In addition, eTAS was not interoperable with\n                     other systems. Users at one site reported that data did not transfer\n                     properly between eTAS and an enterprise timekeeping system. Staff had\n                     to be taken off of security checkpoints to adjust manually for the\n                     differences between the two systems in the number of hours staff\n                     worked. Staff at some sites reported that there was no scheduling\n                     system with the ability to provide real-time information, such as an\n                     employee headcount, and that they had to manipulate three reports\n                     generated by enterprise-wide systems in order to obtain necessary\n                     operational information such as the hours worked by an employee.\n\n                  \xe2\x80\xa2\t Users at some airports relied on a business tool that allowed personnel to\n                     generate timely, thorough performance measures, metrics, and\n                     operational reports, which TSA uses to track and analyze operational\n                     data. However, this tool was not compatible with the operating system\n                     on the new computers installed as part of the computer replacement\n                     program. The staff at these locations switched back and forth between\n                     an older operating system to use the reporting tool and the newer\n                     operating system for other activities. The Office of Security Operations\n                     told us that it had purchased a newer version of the tool that is\n                     compatible with the new computers, but this new tool had not been\n                     installed at the time of our fieldwork.\n\n                  \xe2\x80\xa2\t Reports generated from the TSA system for payroll management did not\n                     contain up-to-date information. Personnel at one airport stated that it\n                     could take 2 to 4 weeks for a new hire to show up in this system.\n                     Managers responsible for TSA field operations reported that they could\n                     not effectively carry out their mission with this outdated information.\n\n                  \xe2\x80\xa2\t TSA systems used for incident reporting were not integrated. When an\n                     incident, such as a theft or a detected threat, occurred, TSA staff\n                     documented the incident and reported it to various offices at\n                     headquarters, such as the Transportation Security Operations Center and\n                     the Office of Security Operations. Field personnel had to enter manually\n                     the same or similar incident report information into three separate\n                     systems\xe2\x80\x94the Security Incident Reporting Tool, the Airport Information\n\n\n\nwww.oig.dhs.gov                                  17\t                                     OIG-13-101\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n\n                  Management System, and the Performance and Results Information\n                  System.\n\n           TSA\xe2\x80\x99s systems do not provide the needed functionality because of challenges\n           with the requirements gathering process. OIT Field Relations Managers are\n           responsible for ensuring that field stakeholders\xe2\x80\x99 critical IT requirements are\n           understood, prioritized, implemented, and supported. OIT Customer Relations\n           Managers are responsible for assisting TSA operational components with\n           documenting business requirements for IT products and services and\n           shepherding IT project requests through TSA\xe2\x80\x99s IT governance process. TSA OIT\n           senior managers, however, reported concerns about the lack of requirements\n           gathering from the field. In addition, an internal TSA report from November\n           2012 stated that there did not appear to be an institutionally supported forum in\n           which field requirements were articulated, shared, widely vetted, and\n           synthesized into a common set of needs that would serve all airports. Field staff\n           told us that their concerns regarding requirements were not being addressed.\n           Some staff reported that they stopped sharing concerns, and instead developed\n           manual workarounds.\n\n           In addition to developing manual workarounds, TSA field personnel at some sites\n           developed systems to meet their mission needs and objectives. For example, at\n           one airport, staff created a system called the Central Employee Database, which\n           consolidated data from a number of TSA IT systems into a single system. This\n           local system allowed end-users to generate real-time executive status reports, as\n           well as daily, weekly, monthly, and annual summaries. OIT shut down this\n           system in 2012 because of security concerns. At another airport, staff created a\n           system to meet their management reporting and scheduling needs. The system\n           allowed them to enter the information they needed into one central system and\n           export it into reports seamlessly\xe2\x80\x94a function not provided by the TSA scheduling\n           system. Users told us that this system was user-friendly. The system included\n           multiple modules for scheduling, tracking training, and other management tools,\n           and users\xe2\x80\x99 access level was adjusted based on their roles.\n\n           Locally developed systems increase security and privacy risks, particularly if\n           these systems have not been reviewed or authorized by OIT headquarters. If\n           systems contain personally identifiable information and have not undergone the\n           appropriate compliance, such as a privacy threshold analysis or privacy impact\n           assessment, vulnerabilities may exist that may put this information at risk and\n\n\n\nwww.oig.dhs.gov                               18                                      OIG-13-101\n\x0c                                  OFFICE OF INSPECTOR GENERAL\n                                       Department of Homeland Security\n\n\n\n            lead to violations of the Privacy Act. 15 Further, since a locally developed system\n            may not be reviewed by TSA system security personnel, its use could\n            compromise network security through malicious network intrusions. In addition,\n            when field staff must undertake manual processes to obtain the information\n            they need, they are less able to meet critical mission objectives in a timely and\n            efficient manner. For example, when screeners have to spend time manually\n            entering data into systems or manipulating data for the information they need,\n            there are fewer personnel available to serve at security checkpoints.\n\n            IT Support\n\n            IT specialist roles are not well defined or communicated, and the number of IT\n            support staff is not sufficient to support users at certain field sites. IT specialists\n            are contracted support staff who provide user, hardware, and communications\n            support at an airport or designated field site. Not all managers responsible for\n            oversight of IT specialists and key decision-makers were fully aware of IT\n            specialists\xe2\x80\x99 roles and responsibilities. According to managers in the field, under\n            the IT Infrastructure Program contract, IT specialists reported directly to the\n            contractor, but their day-to-day activities on-site typically were overseen by a\n            Federal employee IT point of contact. Some Federal IT points of contact with\n            whom we met, however, were not able to access the contract or did not know\n            the roles or responsibilities of IT specialists. As a result, these managers could\n            not make sure they were using the IT specialists effectively.\n\n            Some IT specialists also were not fully aware of their roles and responsibilities.\n            One IT specialist told us that IT specialists frequently strayed from the specifics\n            of the contract, and that the IT specialist\xe2\x80\x99s role was different at different TSA\n            field locations, despite roles and responsibilities being universal and specified\n            under a single, enterprise-wide contract. In addition, some TSA staff were\n            unaware of the roles of IT specialists, and therefore their expectations of the IT\n            specialists sometimes differed from officially assigned roles.\n\n            Additionally, the number of IT support staff was not sufficient to support users at\n            certain field sites. At the time of our fieldwork, TSA employed 89 IT specialists,\n\n\n   15\n     A privacy threshold analysis is performed to determine if additional privacy compliance documentation\n   is required, such as a privacy impact assessment. A privacy impact assessment documents what\n   personally identifiable information the Department is collecting, why it is being collected, and how it will\n   be used, shared, accessed, and stored.\n\nwww.oig.dhs.gov                                         19                                               OIG-13-101\n\x0c                                    OFFICE OF INSPECTOR GENERAL\n                                        Department of Homeland Security\n\n\n\n            who were assigned to Category X and Category I airports. 16 The ratio of IT\n            specialists to the number of users supported, however, varied significantly at\n            different locations. For example, at Chicago Midway International Airport, one\n            IT specialist supported approximately 200 users. At Chicago O\xe2\x80\x99Hare International\n            Airport, one IT specialist supported approximately 2,200 users. Furthermore, IT\n            specialists may also have to travel to smaller airports. Users with whom we met\n            sometimes had to wait several hours or more for IT support for a time-sensitive,\n            mission-critical, or otherwise urgent task, even when an IT specialist was on site,\n            and staff sometimes waited several days or a week for help with their requests\n            for IT support.\n\n            To fill gaps in IT support staff, several field sites detailed employees from other\n            operational areas. Staff detailed to help IT support in TSA field sites were\n            frequently security officers or screeners, not IT specialists. In their IT roles, these\n            security officers or other operational staff members provided support to users\n            by fixing computers, setting up networks, and developing and administering local\n            IT systems. While serving in an IT support capacity, these operational staff were\n            no longer performing their originally assigned security or screening duties. In\n            addition, these staff may not be qualified or trained to serve in IT support\n            functions. By reducing the number of available personnel for security\n            checkpoints, as well as placing staff in positions that require a specific technical\n            training, TSA may hinder its ability to carry out its transportation security\n            mission.\n\n            Recommendations\n\n            We recommend that the Deputy Administrator, Transportation Security\n            Administration, direct the Chief Information Officer, Transportation Security\n            Administration, to:\n\n            Recommendation #3:\n\n            Develop and implement a process to capture IT requirements in the field.\n\n\n   16\n     TSA classifies the Nation\xe2\x80\x99s airports into one of five categories (X, I, II, III, and IV) based on various factors\n   such as the number of takeoffs and landings annually, the extent of passenger screening at the airport,\n   and other security considerations. In general, Category X airports have the largest number of passenger\n   boardings, and Category IV airports have the smallest.\n\n\n\nwww.oig.dhs.gov                                            20                                                 OIG-13-101\n\x0c                              OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n           Recommendation #4:\n\n           Communicate the IT specialist role, as contractually defined, to both IT\n           specialists and to the user community.\n\n           Recommendation #5:\n\n           Develop and implement a process to provide sufficient IT support, such as an\n           appropriate number of IT specialists, in airports and operational sites in the field.\n\n           Management Comments and OIG Analysis\n\n           The Administrator, Transportation Security Administration, concurred with our\n           recommendations and provided details on steps being taken to address specific\n           findings and recommendations in the report. We have reviewed management\xe2\x80\x99s\n           comments and provided an evaluation of the issues outlined in the comments\n           below.\n\n           In response to recommendation three, the Administrator concurred and stated\n           that the TSA OIT and Office of Security Operations will jointly produce\n           procedures to improve the requirements definition and development process.\n           The Administrator also provided details about initiatives underway for\n           identifying requirements in the field, such as the implementation of a\n           documented process for all programmatic requests to support TSA customers in\n           the field and the Deputy CIO\xe2\x80\x99s regularly scheduled bi-weekly site visits to various\n           airports as another means for identifying requirements in the field. We\n           recognize these actions as positive steps toward addressing this\n           recommendation, and look forward to learning more about progress in\n           improving the requirements definition and development process. This\n           recommendation will remain open pending evidence of further progress in this\n           regard.\n\n           In response to recommendation four, the Administrator concurred with the\n           recommendation and stated that TSA has already taken action to communicate\n           the IT specialist role, by providing a nonproprietary synopsis of IT support duties\n           to new Federal Security Directors, as well as Federal Security Directors and\n           senior local staff upon request. Further, the Administrator stated that a\n           nonproprietary synopsis of those duties will be posted on the OIT/End User\n           Services/IT Field Services Branch SharePoint site, to which all IT Specialists and\n\n\nwww.oig.dhs.gov                                 21                                        OIG-13-101\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n           locally assigned IT points of contacts have access. We recognize these actions as\n           positive steps toward addressing this recommendation, and look forward to\n           learning more about progress made toward communicating the IT specialist role,\n           as contractually defined, to both IT specialists and the user community. This\n           recommendation will remain open pending evidence of further progress in this\n           regard.\n\n           In response to recommendation five, the Administrator concurred with the\n           recommendation. The Administrator said that primary IT support for Category X\n           and I airports is provided by an on-site IT Specialist, who also provides secondary\n           support to spokes (Category II-IV airports) of their hub airport and may assist at\n           other sites; primary support for Category II-IV airports is provided by dispatched\n           Field Equipment Service Support technicians. The Administrator said that the\n           field support is dependent upon available funding for these support services, and\n           that the current service model is the most efficient and effective employment of\n           IT resources in support of all category airports. We recognize that field support\n           is dependent upon available funding, and look forward to learning about\n           progress made toward addressing this recommendation. This recommendation\n           will remain open pending evidence of further progress in this regard.\n\n\n\n\nwww.oig.dhs.gov                                22                                       OIG-13-101\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n   Appendix A\n   Objectives, Scope, and Methodology\n   The DHS Office of Inspector General was established by the Homeland Security Act of\n   2002 (Public Law 107-296) by amendment to the Inspector General Act of 1978. This is\n   one of a series of audit, inspection, and special reports prepared as part of our oversight\n   responsibilities to promote economy, efficiency, and effectiveness within the\n   Department.\n\n   As part of our ongoing responsibilities to assess the efficiency, effectiveness, and\n   economy of departmental programs and operations, we conducted an audit to\n   determine TSA\xe2\x80\x99s progress in establishing key IT management capabilities to support\n   mission needs.\n\n   We researched and reviewed Federal laws, management directives, and agency plans\n   and strategies related to IT systems, management, and governance. We obtained\n   published reports, documents, and news articles regarding TSA\xe2\x80\x99s management and use\n   of IT. Additionally, we reviewed recent GAO and DHS OIG reports to identify prior\n   findings and recommendations. We used this information to establish a data collection\n   approach that consisted of focused information-gathering meetings, documentation\n   analysis, site visits, and system demonstrations to accomplish our audit objectives.\n\n   We held meetings and teleconferences with TSA staff at headquarters and field offices.\n   Collectively, we met with more than 120 individuals, such as headquarters officials, field\n   office staff, and system users, to learn about TSA\xe2\x80\x99s IT functions, processes, and\n   capabilities. At headquarters, we met with TSA OIT officials including the CIO, Deputy\n   CIO, General Managers, division directors, branch chiefs, and program managers to\n   discuss their roles and responsibilities related to TSA IT management. We also met with\n   staff from OIT offices and divisions, including IT Strategy and Innovation, Mission\n   Engagement, Strategy and Enterprise Management, Enterprise Architecture, IT\n   Operations, End User Services, Applications Development, Business Management Office,\n   and FAMS IT.\n\n   At TSA field locations, we met with Federal Security Directors, Assistant Federal Security\n   Directors, and their staff; coordination center managers; training managers;\n   administrative officers; property administrators; transportation security managers;\n   transportation security officers; and other system users to understand IT development\n   practices, user requirements, and system use in the field. We discussed the current IT\n   environment and the extent to which it supports mission needs, local IT development\n\nwww.oig.dhs.gov                                23                                       OIG-13-101\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n   practices, and user involvement and communication with headquarters. We collected\n   supporting documents about TSA\xe2\x80\x99s IT environment, IT management functions, current\n   initiatives, and improvement initiatives.\n\n   We conducted audit fieldwork from September 2012 to January 2013 at TSA\n   headquarters offices in Arlington, Virginia. We conducted additional audit fieldwork at\n   TSA field locations.\n\n   We conducted this performance audit between September 2012 and March 2013\n   pursuant to the Inspector General Act of 1978, as amended, and according to generally\n   accepted government auditing standards. Those standards require that we plan and\n   perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\n   basis for our findings and conclusions based upon our audit objectives. We believe that\n   the evidence obtained provides a reasonable basis for our findings and conclusions\n   based upon our audit objectives.\n\n   The principal OIG points of contact for this audit are Frank Deffer, Assistant Inspector\n   General for Information Technology Audits, and Richard Harsche, Director of\n   Information Management. Major OIG contributors to the audit are identified in\n   appendix D.\n\n\n\n\nwww.oig.dhs.gov                                24                                       OIG-13-101\n\x0c                   OFFICE OF INSPECTOR GENERAL\n                     Department of Homeland Security\n\n\n\n   Appendix B\n   Management Comments to the Draft Report\n\n\n\n\nwww.oig.dhs.gov                  25                    OIG-13-101\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n\n                                                                                                        2\n\n       Discussion\n\n       While TSA concurs with the OIG\'s recommendations, there is one specific area within the report\n       on which we would like to comment.\n\n      TSA accepts the recommendation that IT acquisitions, when designated as IT, will follow the\n      DHS IT acquisition review (ITAR) guidelines and process. TSA does not agree with the OIG\'s\n      recommendation that presumes the Electronic Baggage Screening Program (EBSP) and the\n      Passenger Screening Program (PSP) are IT programs by the phrase "including passenger and\n      baggage screening equipment." TSA is establishing a process through our draft Management\n      Directive 1400.20, rr Governance in which the Chief Information Officer (CIO), the Chief\n      Procurement Officer Executive/Component Acquisition Executive, and the Program Office\n      jointly evaluate the program for IT designation and apply necessary IJ governance.\n\n      The recommendations highlighted in OIG\'s report will help TSA continue improving and\n      implementing effective oversight of Agency investments. TSA concurs with the\n      recommendations and has already taken steps to address them. What follows are TSA\'s specific\n      responses to the recommendations contained in the OIG report.\n\n      Recommendation #1: Direct all TSA program offices to apply the Department\'s definition of\n      IT for all acquisitions.\n\n      TSA concurs. TSA recognizes the need to apply the Department\'s definition ofiT and has\n      codified that definition in TSA Management Directive 300.15, Information Technology\n      Acquisition Review. TSA\'s position is that while IT is an integral part of almost every program\n      we have, there should be a mechanism for determining the application of the definition in\n      program designations. That characteristic of IT is included in TSA\'s definition of IT in the\n      Management Directive. To adjudicate the application of the definition ofiT in program\n      designation, TSA has included a process in our draft Management Directive 1400.20, IT\n      Governance. That approval process involves the CIO, the Chief Procurement Officer\n      Executivc1Component Acquisition Executive, and the Program Office in the IT designation\n      process.\n\n      Recommendation #2: Develop and implement a process to ensure that all\xc2\xb7IT acquisitions,\n      including passenger and baggage screening equipment. go through IT Acquisition Review and\n      receive enterprise architecture, security, and privacy reviews.\n\n      TSA concurs. TSA accepts the recommendation that IT acquisitions, when detennined to be\n      designated as IT, will follow the DHS ITAR guidelines and process. The Agency takes\n      exception to the presumption that EBSP and PSP are IT programs. As described in\n      Recommendation # 1, TSA is establishing a process through our draft Management Directive\n      1400.20, IT Governance in which the CIO, the Chief Procurement Officer Executivc1Component\n      Acquisition Executive, and the Program Office jointly evaluate the program for IT designation.\n      TSA has a well-established ITAR process that has been defined in TSA Management Directive\n      300.15, Information Technology Acquisillon Review.\n\n\n\n\nwww.oig.dhs.gov                                       26                                                OIG-13-101\n\x0c                    n\n                    a            OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n\n                                                                                                          3\n\n       Recommendation #3: Develop and implement a process to capture IT requirements in the field.\n\n       TSA concurs. TSA has Office of Information Technology (OIT) Field Regional Managers\n       (FRM) assigned to support aU airports managed by the Office of Security Operations (OSO).\n       These FRM.s have been in place since TSA was stood up. Each of the FRMs is responsible for\n       supporting all IT-related requests within each of their respective areas of responsibility. TSA\n       acknowledged that the process could be refined weU over a year ago, so the implementation of a\n       documented process for all programmatic requests was established to support our customers in\n       the field. This process allows OSO leadership to review these requests to determine if they are in\n       fact a priority for their organization and if the funding is available to support their request. In\n       addition, in an effort to collaborate with the field, the TSA Deputy CIO established a regularly\n       scheduled bi-weekly site visit schedule to various airports throughout the country as another\n       means for identifying requirements in the field. The TSA OIT and OSO will jointly produce\n       procedures to improve the requirements definition and development process.\n\n       Recommendation #4: Communicate the IT specialist role, as contractually defined, to both lT\n       specialists and to the user community.\n\n       TSA concurs. IT support to the field sites is a contractual requirement under the current\n       infrastructure support contract. A nonproprietary synopsis of those duties is captured in a\n       handout that is provided to all newly assigned Federal Security Directors (FSD) as well as all\n       FSD and senior local staff on request. In addition, the synopsis will soon be posted oo the\n       OIT/End User Services/IT Field Services Branch SharePoint site. All IT Specia1islS and locally\n       assigned IT points of contacts (POC) have access to this site. Weekly calls are conducted with\n       TSA\'s FRMs, the infrastructure support contractor\'s Customer Service Regional Managers\n       (CSRM), on-site IT Specialists, and local IT POC. These recurring conference calls provide a\n       forum to address both routine tasks and emerging projects and the responsibilities associated\n       with those tasks, if clarification is needed.\n\n       Recommendation #5: Develop and implement a process to provide sufficient IT support, such\n       as an appropriate number ofiT specialists, in airports and operational sites in the field.\n\n       TSA concurs. Primary IT support for category X and I airports is provided by an on-site IT\n       Specialist. These IT Specialists also provide secondary support to the spokes (category II - IV\n       airports) of their hub airport. Meanwhile, they may also assist with special projects at other sites\n       not associated with their hub location, when required. Field Equipment Service Support (FESS)\n       technicians may also be used to provide additional support to category X and I airports when\n       workloads a.ndlor special projects require additional support to meet particularly demanding\n       operational requirements within the contract service level agreements (SLA).\n\n       Primary support for Category II -IV airports is provided by dispatched FESS technicians. These\n       FESS technicians provide timely service from key locations across the country to airports within\n       their prescribed service areas. Contractual SLA prescribe response times and levels of service\n       for FESS support. These service levels and response times apply equally to all airports, category\n       X through IV. The field support is also dependent upon available funding for these support\n       services. The current service model is the most efficient and effective employment ofJT\n       resources in support of all category airports.\nwww.oig.dhs.gov                                       27                                              OIG-13-101\n\x0c                     OFFICE OF INSPECTOR GENERAL\n                       Department of Homeland Security\n\n\n\n   Appendix C\n   Definition of Information Technology\n\n\n\n\nwww.oig.dhs.gov                    28                    OIG-13-101\n\x0c                            OFFICE OF INSPECTOR GENERAL\n                               Department of Homeland Security\n\n\n\n   Appendix D\n   Major Contributors to This Report\n\n   Richard Harsche, Division Director\n   Elizabeth Argeris, Audit Manager\n   Swati Nijhawan, Auditor-in-Charge\n   Daniel McGrath, Auditor\n   Raj Patel, Auditor\n   Joshua Wilshere, Referencer\n\n\n\n\nwww.oig.dhs.gov                            29                    OIG-13-101\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n\n   Appendix E\n   Report Distribution\n   Department of Homeland Security\n\n   Secretary\n   Deputy Secretary\n   Chief of Staff\n   Deputy Chief of Staff\n   General Counsel\n   Executive Secretary\n   Director, GAO/OIG Liaison Office\n   Assistant Secretary for Office of Policy\n   Assistant Secretary for Office of Public Affairs\n   Assistant Secretary for Office of Legislative Affairs\n   Administrator, TSA\n   Deputy Administrator, TSA\n   Chief Information Officer, TSA\n   Liaison, TSA\n   Director of Local Affairs, Office of Intergovernmental Affairs\n   Acting Chief Privacy Officer\n\n   Office of Management and Budget\n\n   Chief, Homeland Security Branch\n   DHS OIG Budget Examiner\n\n   Congress\n\n   Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\nwww.oig.dhs.gov                                30                          OIG-13-101\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto: DHS Office of Inspector General, Attention: Office of Investigations Hotline, 245\nMurray Drive, SW, Building 410/Mail Stop 2600, Washington, DC, 20528; or you may\ncall 1 (800) 323-8603; or fax it directly to us at (202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'